Memory Analysis - Writup by toffan


Find the website that the fake svchost is accessing.


We get a RAM dump of a VM forensic_100.raw. First, we find that it is a Windows XP. Then, because of the hint we look for the hosts file, that we found at the address 0x000000000217b748 and in it we found an interesting piece of information.

$ volatility -f forensic_100.raw imageinfo
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)

$ volatility -f forensic_100.raw filescan | fgrep hosts
0x000000000217b748      1      0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts

$ volatility -f forensic_100.raw dumpfiles -Q 0x000000000217b748 --name -D dump
$ cat dump/file.None.0x819a3008.hosts.dat

The challenge tells us that there is a problem with the svchost service so this is this process that we are going to analyse. We know that it is accessing a website, maybe the one we have found just before. We find an url.

$ volatility -f forensic_100.raw pslist | grep svchost
0x81f65da0 svchost.exe            1776    672      2       23      0      0 2016-12-06 05:27:10 UTC+0000

$ volatility -f forensic_100.raw memdump -p 1776 -D dump
$ strings dump/1776.dmp | fgrep

Here, there is something strange about all this is that the hosts translation is not the official one. If we try to access from a web browser we found a random website but if we access we are redirected to the root. Finally, with a curl everything is clearer.

$ dig
;; ANSWER SECTION:   3471    IN  A   3471    IN  A

$ curl